We know that cybersecurity standards in U.S. government agencies have not exactly been up to par, but how bad is it, really?
With serious cyber incidents such as SolarWinds and the Office of Personnel Management (OPM), anyone could answer that question and say, "not good."
Well, now we have an actual score to give our largest and most important agencies defending America from cyberattacks: a whopping C-minus.
While a C-minus might be a passing grade in school, it is certainly not a passing grade when it comes to defending a nation's critical infrastructure and other sensitive data.
Bipartisan report on federal agencies' cybersecurity
Senators Rob Portman and Gary Peters jointly released a new report, Federal Cybersecurity: America's Data Still at Risk, that looks into eight federal agencies' cybersecurity protocols, seven of which have shown continued failure to comply with baseline cybersecurity requirements.
This comes two years after Portman's 2019 report on federal agency cybersecurity, and the following agencies are still showing "systemic failures" in protecting information:
• The Department of State
• The Department of Transportation
• The Department of Housing and Urban Development
• The Department of Agriculture
• The Department of Health and Human Services
• The Department of Education
• The Social Security Administration
The report also specifically mentions these agencies failed:
"To protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor."
Taking all of this into mind, the report includes a cybersecurity report card for all cabinet departments and the largest independent agencies, where the overall average grade was a C-minus.
Senators discuss cybersecurity failures
Senators Portman and Peters, who are the Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, expressed their concerns and urged everyone in government to listen.
Here is what Senator Portman had to say:
"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data.
This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.
I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade—the American people deserve better. In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America's data is protected."
He also makes clear the Biden Administration must ensure there is a single point of accountability for federal cybersecurity to address these failures.
Here is what Senator Peters said:
"Shortcomings in federal cybersecurity allow cybercriminals to access Americans' personal information, which not only compromises our national security—but risks the livelihoods of people in Michigan and across the country. This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data."
Cybersecurity recommendations for government agencies
The report looks into each agency to specifically review ways it failed in meeting the baseline cybersecurity requirements, and provides overall key findings.
Looking forward, it also provides a list of recommendations for these agencies, which can work as recommendations for private business as well.
Here are six recommendations from the cybersecurity report:
- "The Office of Management and Budget (OMB) should develop and require agencies to adopt a risk-based budgeting model for information technology investments."
- "There should be a centrally coordinated approach for government-wide cybersecurity to ensure accountability."
- "The Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Quality Services Management Office should expand shared services offerings to federal agencies, including improved, government-wide endpoint detection using primarily commercial off the shelf products and services to improve the operational effectiveness of EINSTEIN."
- "DHS should provide Congress with a plan to update EINSTEIN and to justify its cost."
- "The annual Inspector General FISMA Reporting Metrics developed by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency should prioritize risk-based metrics that best demonstrate the maturity of an agency's information security program."
- "Congress should update the Federal Information Security Modernization Act of 2014."
For more information on cybersecurity in the U.S. government, read the full report.